raindigi / reaction

Reaction is a customizable, real-time reactive, JavaScript commerce platform.
https://reactioncommerce.com/
GNU General Public License v3.0
0 stars 0 forks source link

[Snyk] Security upgrade handlebars from 4.1.0 to 4.1.1 #185

Open snyk-bot opened 2 years ago

snyk-bot commented 2 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 768/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-ASYNC-2441827
No Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: handlebars The new version differs by 20 commits.
  • f691db5 v4.1.1
  • 25b2e11 Update release notes
  • e5c3937 Update release notes
  • aef7287 Merge pull request #1511 from wycats/saucelabs
  • 684f103 chore: reactivate saucelabs-tests
  • 7840ab6 test: make security testcase internet explorer compatible
  • 4108b83 Merge pull request #1504 from liqiang372/deprecate-substr-method
  • 445ae12 deprecate substr method and use existing strip function in grammar
  • 5cedd62 fix: add "runtime.d.ts" to allow "require('handlebars/runtime')"
  • 40fb115 Revert "chore: re-activate saucelabs"
  • b2e2cfe chore: re-activate saucelabs
  • 037bfbf Merge pull request #1500 from wycats/neo-async
  • 048f2ce refactor: replace "async" with "neo-async"
  • b92589a test: add test for NodeJS compatibility
  • 1c62d4c Merge branch 'issue-1495' into 4.x
  • b02e9a2 test: run appveyor tests in Node 10
  • f1c8b2e chore: disable sauce-labs
  • dbc50ac chore: bump version of grunt-saucelabs
  • c6a8fc1 chore: add .idea and yarn-error.log to .gitignore
  • 42841c4 fix: disallow access to the constructor in templates to prevent RCE
See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution